I'm using a timechart visualization as a drilldown on a dashboard where the time range is controlled by radio buttons with options of: -24h@h, -7d@d, -30d@d, -60d@d, -90d@d, -6mon@d, and -1y@d.  ...... | timechart count by "Site Name" Most everything works fine but when I switch select -6mon@d or -1y@d the timechart no longer displays the events with their actual date and instead labels all of them as the first of the month (i.e. July 1, 2023).    I imagine this is something to do with timechart's automatic grouping based on time range but is there a way to disable this and have the events displayed with their actual date?   Not only is it important for analysis purposes, I have a drilldown of this timechart that shows the specific event data but my search is dependent on the timechart returning the specific date. See search below: ........ | eval dtg=strftime($dd_earliest$, "%d %b %Y") | where Start=dtg AND 'Site Name'="$selected_site$" These values are set in the drilldown stanzas of the search: | timechart count by "Site Name" <set token="selected_site">$click.name2$</set> <eval token="dd_earliest">$click.value$</eval> ... View more

I can't use the field extractor because the field configurations are frequently very different and it gives me errors so I've been using "| rex" instead.  Can someone help me adjust my regex to only capture "P3820 Houston to A345 Atlanta Line Down" for the field "Details" every time? | rex field= "(?<Details>.*)\s-\s\d{4}[Z]\s\d{2}\s[a-zA-Z]{3}\s-\s(\d{4}Z\s\d{2}\s[a-zA-Z]{3}|On)" field examples:  P3820 Houston to A345 Atlanta Line Down - 1339Z 19 May - On-going - TKT39390423 P3820 Houston to A345 Atlanta Line Down - 1339Z 19 May - 0834Z 20 May - TKT39390423 P3820 Houston to A345 Atlanta Line Down - 1339Z 19 MAY - Ongoing - TKT39390423 - 1339Z 19 May - On-going - TKT39390423 P3820 Houston - A345 Atlanta Line Down - 1339Z 19 MAY - Ongoing - INC39390423, DIRJ LLO MM#:394039 - 1339Z 19 May - On-going - TKT39390423 P3820 Houston - A345 Atlanta Line Down - 1339Z 19 MAY - 1834Z MAY - INC39390423, DIRJ LLO MM#:394039 - 1339Z 19 May - 0834Z 20 May - TKT39390423 I don't have any issue for the first two but when the date/time range is repeated I end up with everything before the second  "1339Z 19 May" included in the "Details" field ... View more

I have a classic dashboard that has 8 separate 'pages' controlled by a dropdown selection. I just added drilldowns to almost every visualization and have around 60 searches in the dashboard and it's starting to get laggy. Is there a way to only execute searches on the page when I select it, instead of all at once?   ... View more

I've seen a few posts on this topic but couldn't find an answer that fits my use case.  How can I change the sort order of data in a Trell... - Splunk Community This one suggests adding spaces before the aggregated field but uses static data. I have a single value trellis visualization on a dashboard that updates based on time-range radio buttons. The values change every few days so I need a solution that is flexible with data updates. | my search | stats count(Alert) as Alerts by App The results have between 15-40 Apps, depending on time-range, that have values from 1-40. Since the treillis will only show 20 results on the first page, it would be much better to show the highest values first instead of alphabetical order of the App names. I tried adding an eval statement at the end to assign the values to each App but this sorts it from lowest to highest and doesn't account for double digits correctly. Sorting them 1, 14, 2, 23, 3, 35, 38, 4, 41 | my search | stats count(Alert) as Alerts by App | eval App="(".Alerts.") ".App | stats values(Alerts) by App If there isn't a direct way to sort by value, I feel like this is on the right path but not quite right. How to sort on single value in trellis? - Splunk Community This seems to be inline with my train of thought but not sure how the "severity" field is generated. ... View more

My dashboard has about 45 panels split between 8 pages using a dropdown. I am adding drilldowns that open panels that are hidden until a user clicks on a chart or table. My issue is that when I'm on a certain page and click on a visualization and the hidden panel appears, it remains displayed when I switch to a different page. I can't copy and paste my code so here's a snippet of what I have: <form>   <label>My Dashboard</label>   <fieldset submitButton="false">     <input type="dropdown" token="type" searchWhenChanged="true">       <label>Select Page</label>       <choice value="A">A</choice>       .......same for B-G.......       <choice value="H">H</choice>       <change>         <condition value="A">           <set token="A_panel">true</set>           <unset token="B_panel"></unset>            ......unset C-H......         </condition>         <condition value="B">           <set token="B">true</set>           <unset token="A_panel"></unset>           ......unset C-H......         </condition>         <condition>           .....Repeat for C-H.....         </condition>       </change>     </input>   </fieldset>   <row>     <panel depends="$A_panel$">       <title>Panel A1</title>       <table>         <search>           <query>| index=* App=* Status="Down" | table App A B C </query>           <earliest>0</earliest>           <latest></latest>         </search>         <option name="drilldown">cell</option>         <drilldown>           <set token="show_panel_A1">true</set>           <set token="selected_app">$click.value$</set>           <eval token="drilldown.earliest">case($click.name2$=="30 Days", "-30d", $click.name2$=="60 Days", "-60d")           <eval token="drilldown.latest">case($click.name2$=="30 Days", "now", $click.name2$=="60 Days", "-30d")         <drilldown>       </table>     </panel>   </row>   <row>     <panel depends="$show_panel_A1$">       <title>Count for $selected_app$</title>       <chart>         <search>           <query>| index=* App=* Status="Down" earliest=$drilldown.earliest$ latest=$drilldown.latest$ | search App="$selected_app$" | timechart count by App </query>         </search>       </chart>     </panel>   </row> I've tried adding the <unset token> for other drilldown panels under <drilldown> and <condition value=""> sections but the panels don't hide again after I select a different drilldown or move pages. ... View more

I created a search that shows the count of outages by certain Apps over spans of last 90 days, broken up by last 30, 31-60, and 61-90. I want to configure the drilldown so I can click on the value for an app in one of these timespans and show a table with the App name and Alert message. The search operates how I want, just not sure about the drilldown capabilities. Search: index=... sourcetype=... App=* Status="Down" earliest=-90d latest=now() | fields Alert App Status | dedup Alert | stats count(Alert) as "C" by App | join type=left      [search index=... sourcetype=... App=* Status="Down" earliest=-60d latest=now()      | fields Alert App Status      | dedup Alert      | stats count(Alert) as "B" by App] | join type=left      [search index=... sourcetype=... App=* Status="Down" earliest=-30d latest=now()      | fields Alert App Status      | dedup Alert      | stats count(Alert) as "A" by App] | fillnull value=0 A B C | table App A B C | eval B=B - A | eval AB=A + B | eval CC=C - AB | eval Sum=A + B + CC | rename A as "30 Days", B as "31-60 Days", CC as "61-90 Days" | fields App "30 Days" "31-60 Days" "61-90 Days" Results Example: App                    30 Days                    31-60 Days                    61-90 Days                    Sum App1                   5                                7                                          0                                         12 App2                   2                                4                                          10                                       16 My drilldown search will be something like: index=... sourcetype=... App=* Status="Down" | dedup Alert | search App="$click.value2$" | table App Alert Is there a way to set a token to select the time range based on where I click? Any recommendations to get just the values for example the 7 events for "App1" "31-60 Days"? ... View more